Coverity static analysis for C, C++ and Java code

James Hunt james.hunt at
Wed Apr 10 13:39:41 UTC 2013

On 10/04/13 13:41, Loïc Minier wrote:
> On Mon, Apr 08, 2013, James Hunt wrote:
>> We're already using it for critical packages including Upstart and
>> Whoopsie [3], but it would be great to expand its scope to make it use
>> the norm rather than the exception.
> Cool!  How did you hook it up to the Upstart sources though?
I haven't done that yet - currently a slightly manual process but looking at
ways to automate further (starting with a daily cron :) Ideally, I'd like to
have all MP's scanned.

  at release
> time, or e.g. from some Jenkins job pushing the latest version daily?
> Does this scan the Ubuntu branch of Upstart, the upstream one or both?
I do both.

> Would it be ok license-wise and hard for us to do this at a larger
> scale; e.g. have some kind of daily job that pushes the latest Ubuntu
> source packages from a set to be tested?
I don't know. Coverity seemed to have relaxed the restriction that the
individual that requests Coverity scans for a project be the "project owner". If
you look at the "Role with the Project" option on [1], there are now 6 values
including "other". I'll contact them and see if it might be possible...

Kind regards,


[1] -

James Hunt
#upstart on freenode

More information about the ubuntu-devel mailing list